21 research outputs found
zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection
Intrusion Detection Systems (IDSs) can analyze network traffic for signs of
attacks and intrusions. However, encrypted communication limits their
visibility and sophisticated attackers additionally try to evade their
detection. To overcome these limitations, we extend the scope of Network IDSs
(NIDSs) with additional data from the hosts. For that, we propose the
integrated open-source zeek-osquery platform that combines the Zeek IDS with
the osquery host monitor. Our platform can collect, process, and correlate host
and network data at large scale, e.g., to attribute network flows to processes
and users. The platform can be flexibly extended with own detection scripts
using already correlated, but also additional and dynamically retrieved host
data. A distributed deployment enables it to scale with an arbitrary number of
osquery hosts. Our evaluation results indicate that a single Zeek instance can
manage more than 870 osquery hosts and can attribute more than 96% of TCP
connections to host-side applications and users in real-time.Comment: Accepted for publication at ICT Systems Security and Privacy
Protection (IFIP) SEC 202
Visualizing traffic causality for analyzing network anomalies
ABSTRACT Monitoring network traffic and detecting anomalies are essential tasks that are carried out routinely by security analysts. The sheer volume of network requests often makes it difficult to detect attacks and pinpoint their causes. We design and develop a tool to visually represent the causal relations for network requests. The traffic causality information enables one to reason about the legitimacy and normalcy of observed network events. Our tool with a special visual locality property supports different levels of visualbased querying and reasoning required for the sensemaking process on complex network data. Leveraging the domain knowledge, security analysts can use our tool to identify abnormal network activities and patterns due to attacks or stealthy malware. We conduct a user study that confirms our tool can enhance the readability and perceptibility of the dependency for host-based network traffic